Logwatch with Metalog

From Gentoo Linux Wiki

Jump to: navigation, search

In their default setup, logwatch and metalog do not work together particularly well. This guide will show you how to reconfigure them so that logwatch can easily read metalog generated log files.

This guide assumes you already have metalog installed and configured, but will assume that you haven't installed and configured logwatch.

Contents

[edit] Initial Setup

Install logwatch with:
emerge -a logwatch

Next we want to copy the files we intend to edit from the default logwatch configuration to /etc/logwatch/conf:

mkdir -p /etc/logwatch/conf/logfiles cp -ar /usr/share/logwatch/default.conf/logfiles/{cron.conf,kernel.conf,maillog.conf,messages.conf} /etc/logwatch/conf/logfiles/


[edit] Metalog Timestamp Format

As of metalog-1, the default timestamp format has changed and is additionally now configurable. To set it back to the format that logwatch expects, add the following line to the top of /etc/metalog.conf: 

stamp_fmt = "%b %e %T"

[edit] Reconfigure log files

Since metalog, by default, uses a completely different logfile setup to syslog-ng, preferring directories and using "current" for the currently active log file, we need to reconfigure where logwatch looks for log files.

[edit] Messages / Everything

Let's start with "messages", which metalog calls "everything". Edit /etc/logwatch/conf/logfiles/messages.conf and add LogFile and Archive options so that they read as follows:

File: /etc/logwatch/conf/logfiles/messages.conf
# What actual file?  Defaults to LogPath if not absolute path....
LogFile = messages
LogFile = everything/current

# If the archives are searched, here is one or more line
# (optionally containing wildcards) that tell where they are...
#If you use a "-" in naming add that as well -mgt
Archive = messages.*
Archive = archiv/messages.*
Archive = everything/log-*

LogFile determines the currently active log file, while Archive tells logwatch where the archived logs are kept. Logwatch will happily deal with compressed archived logs in bzip2 or gzip formats.

[edit] ...And The Rest

Now we want to update the remaining log file configs in the same manner.

File: /etc/logwatch/conf/logfiles/cron.conf
# What actual file?  Defaults to LogPath if not absolute path....
#Solaris is /var/cron/log -mgt
LogFile = /var/cron/log
LogFile = cron
LogFile = crond/current

# If the archives are searched, here is one or more line
# (optionally containing wildcards) that tell where they are...
Archive = cron.*
Archive = archiv/cron.*
Archive = crond/log-*
File: /etc/logwatch/conf/logfiles/kernel.conf
LogFile = kern.log
LogFile = kern.log.0
LogFile = kernel/current
Archive = kern.log.*.gz
Archive = kernel/log-*

[edit] Special Case: Mail Log

By default, metalog leaves all mail logs going to the "everything" log, but it also includes a section which is commented by default that sends mail logs to their own dedicated log.

If you use the default setup, edit the maillog.conf as follows:

File: /etc/logwatch/conf/logfiles/maillog.conf
# What actual file?  Defaults to LogPath if not absolute path....
LogFile = maillog
LogFile = syslog
LogFile = mail.log
LogFile = mail.log.0
LogFile = everything/current

# If the archives are searched, here is one or more line
# (optionally containing wildcards) that tell where they are...
#If you use a "-" in naming add that as well -mgt
Archive = maillog.*
Archive = syslog.*
Archive = archiv/maillog.*
Archive = mail.log.*.gz
Archive = everything/log-*


If you have uncommented the optional section, edit the maillog.conf so that it reads:

File: /etc/logwatch/conf/logfiles/maillog.conf
# What actual file?  Defaults to LogPath if not absolute path....
LogFile = maillog
LogFile = syslog
LogFile = mail.log
LogFile = mail.log.0
LogFile = mail/current

# If the archives are searched, here is one or more line
# (optionally containing wildcards) that tell where they are...
#If you use a "-" in naming add that as well -mgt
Archive = maillog.*
Archive = syslog.*
Archive = archiv/maillog.*
Archive = mail.log.*.gz
Archive = mail/log-*

[edit] Modifying Shared Scripts

Some of the shared scripts that come with logwatch don't work with the metalog format log files by default. The following sections show you how to modify these scripts to fix or work around these issues.

[edit] OnlyHost

Metalog doesn't record the machines hostname in its log files, but logwatch will filter some log files for any entries which don't contain the hostname. To fix this, we'll override the logwatch OnlyHost script with a modified version.

First, set up the custom scripts location:
mkdir -p /etc/logwatch/scripts/shared

Now create the custom version of the OnlyHost script as /etc/logwatch/scripts/shared/onlyhost with the following content:

File: /etc/logwatch/scripts/shared/onlyhost
use strict;

my $line;
while (defined($line = <STDIN>)) {
   print $line;
}

This version of the script simply returns the input, since there's no hostname entry in the metalog log files to filter on.

[edit] OnlyService, MultiService and RemoveService

The default (Only|Multi|Remove)Service scripts do not work with metalog log files, so as with the OnlyHost script, we'll override it with a version that does. Start by copying the existing scripts:

cp -a /usr/share/logwatch/scripts/shared/{multiservice,onlyservice,removeservice} /etc/logwatch/scripts/shared/

Now edit the scripts to read as follows, adding the last elsif section to each:

File: /etc/logwatch/scripts/shared/multiservice
##########################################################################
# $Id: multiservice,v 1.5 2005/02/24 17:08:05 kirk Exp $
##########################################################################

########################################################
# This was written and is maintained by:
#    Kirk Bauer <kirk@kaybee.org>
#
# Please send all comments, suggestions, bug reports,
#    etc, to kirk@kaybee.org.
########################################################

# This will pick out only the wanted service from a logfile
# in the standard /var/log/messages format.  Case insensitive.

@ServiceName = split(/,/,$ARGV[0]);

if ( $ENV{'LOGWATCH_DEBUG'} > 5 ) {
   print STDERR "DEBUG: Inside MultiService for $ServiceName[0]\n";
}

while (defined($ThisLine = <STDIN>)) {

for $ServiceName (@ServiceName) {
    if ($ThisLine =~ m/^... .. ..:..:.. [^ ]* $ServiceName\[[0123456789]*\]:/i) {
      print $ThisLine;
    }
    elsif ($ThisLine =~ m/^... .. ..:..:.. [^ ]* [^ ]*\[[0123456789]*\]: \[ID [0-9]+ $ServiceName/io) {
      print $ThisLine;
    }
    elsif ($ThisLine =~ m/^... .. ..:..:.. [^ ]* [^ ]*: \[ID [0-9]+ $ServiceName/io) {
      print $ThisLine;
    }
    elsif ($ThisLine =~ m/^... .. ..:..:.. [^ ]* $ServiceName:/i) {
      print $ThisLine;
    }
    elsif ($ThisLine =~ m/^... .. ..:..:.. \[$ServiceName\]/i) {
      print $ThisLine;
    }
}

}
# vi: shiftwidth=3 syntax=perl tabstop=3 et


File: /etc/logwatch/scripts/shared/onlyservice
##########################################################################
# $Id: onlyservice,v 1.9 2005/11/30 23:52:27 bjorn Exp $
##########################################################################

########################################################
# This was written and is maintained by:
#    Kirk Bauer <kirk@kaybee.org>
#
# Please send all comments, suggestions, bug reports,
#    etc, to kirk@kaybee.org.
########################################################

# This will pick out only the wanted service from a logfile
# in the standard /var/log/messages format.  Case insensitive.

$ServiceName = $ARGV[0];
if ( $ENV{'LOGWATCH_DEBUG'} > 5 ) {
   print STDERR "DEBUG: Inside OnlyService for $ServiceName\n";
}

while (defined($ThisLine = <STDIN>)) {
    if ($ThisLine =~ m/^... .. ..:..:.. [^ ]* $ServiceName\[[0123456789]*\]: /io) {
      print $ThisLine;
    }
    elsif ($ThisLine =~ m/^... .. ..:..:.. [^ ]* [^ ]*\[[0123456789]*\]: \[ID [0-9]+ $ServiceName/io) {
      print $ThisLine;
    }
    elsif ($ThisLine =~ m/^... .. ..:..:.. [^ ]* [^ ]*: \[ID [0-9]+ $ServiceName/io) {
      print $ThisLine;
    }
    elsif ($ThisLine =~ m/^... .. ..:..:.. [^ ]* $ServiceName: /io) {
      print $ThisLine;
    }
    elsif ($ThisLine =~ m/^... .. ..:..:.. [^ ]* $ServiceName /io) {
      print $ThisLine;
    }
    elsif ($ThisLine =~ m/^... .. ..:..:.. \[$ServiceName\]/io) {
      print $ThisLine;
    }
}

# vi: shiftwidth=3 syntax=perl tabstop=3 et

The removeservice script is slightly different. Here we add a condition to the unless construct so that it becomes:

File: /etc/logwatch/scripts/shared/removeservice
use strict;
##########################################################################
# $Id: removeservice,v 1.7 2005/02/24 17:08:05 kirk Exp $
##########################################################################

########################################################
# This was written and is maintained by:
#    Kirk Bauer <kirk@kaybee.org>
#
# Please send all comments, suggestions, bug reports,
#    etc, to kirk@kaybee.org.
########################################################

my ($ServiceName, $ThisLine);
my ($linesin, $linesout) = (0, 0);

# This will remove the unwanted service from a logfile
# in the standard /var/log/messages format.  Case insensitive

if ( $ENV{'LOGWATCH_DEBUG'} > 5 ) {
   print STDERR "DEBUG: Inside RemoveService...\n";
}

$ServiceName = $ARGV[0];

while (defined($ThisLine = <STDIN>)) {
   $linesin++;
   unless ( ($ThisLine =~ m/^... .. ..:..:.. [^ ]* $ServiceName\[[0123456789]*\]: /oi) or
         ($ThisLine =~ m/^... .. ..:..:.. [^ ]* $ServiceName: /oi) or
        ($ThisLine =~ m/^... .. ..:..:.. \[$ServiceName\]/oi) ) {
      $linesout++;
      print $ThisLine;
   }
}

if ( $ENV{'LOGWATCH_DEBUG'} > 5 ) {
   print STDERR "DEBUG: Inside RemoveService: $linesin Lines In, $linesout Lines Out\n";
}

# vi: shiftwidth=3 syntax=perl tabstop=3 et

[edit] See Also

Retrieved from "http://en.gentoo-wiki.com/wiki/Logwatch_with_Metalog"
Personal tools